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Abstract. We study the problem of preventing double spending in elec- 
tronic payment schemes in a distributed fashion. This problem occurs, 
for instance, when the spending of electronic coins needs to be controlled 
by a large collection of nodes (e.g., in a peer-to-peer (P2P) system) in- 
stead of one central bank. Contrary to the commonly held belief that 
this is fundamentally impossible, we propose several solutions that do 
achieve a reasonable level of double spending prevention, and analyse 
their efficiency under varying assumptions. 



1 Introduction 

Many electronic payment schemes exist. For an overview, we refer to Asokan et 
al. [AJSW97] or O'Mahony et al. [OPT97]. Some of those are coin based, where 
some bitstring locally stored by a user represents a certain fixed value. 

Coin based systems run the risk that many copies of the same bitstring 
are spent at different merchants. Therefore, these systems need to incorporate 
double spending prevention or detection techniques. To prevent double spending, 
a central bank is usually assumed which is involved in each and every transaction. 
In off-line scenarios (where such a connection to a central bank is not available), 
double spending detection techniques are used that will discover double spending 
at some later time, and that allow one to find the perpetrator of this illegal 
activity. A major drawback of double spending detection techniques is the risk 
that a dishonest user spends a single coin a million times in a short period of 
time before being detected. This is especially a problem if such a user cannot be 
punished for such behaviour afterwards, e.g., fined, penalised judicially, or being 
kicked from the system permanently. 
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Recently, the use of electronic payment like systems has been proposed^ to 
counter SPAM [Hir02] or to enforce fairness among users of peer-to-peer (P2P) 
networks [YGM03, VCS03, GH05]. In such systems it is unreasonable to assume 
a central bank, either because it does not exist, or because it would go against 
the design philosophy of the system (as is the case for P2P networks). At first 
sight it then appears to be impossible to prevent double spending. This would 
limit the usefulness of such approaches because of the rapid double spending 
problem described above: users can easily rejoin a P2P system under a different 
alias and continue their bad practises forever. 

In [GII05] we wrote: 

We note that for any system offering off-line currency, double-spending 
prevention is generally speaking not possible, unless extra assumptions 
(e.g., special tamper proof hardware) are made. 

In that paper, in fact, we were not considering a completely off-line system, but 
a decentralised system without a central bank instead. The difference turns out 
to be decisive. In a truly off-line system (where the receiver of a coin has no 
network access to perform any kind of checking, and where the spender of a 
coin is not forced to adhere to a security policy through some kind of tamper 
proof hardware [SS99]) the chances of double spending prevention are slim. We 
soon after realised, however, that the situation is not so bad in an on-line but 
decentralised system without a central bank. 

The crucial observation is that it may be impossible, or very expensive, to 
prevent every possible double spending of a coin (i.e., a deterministic approach), 
but that it may very well be possible to prevent that a particular coin is double 
spent many times, using efficient randomised techniques. Even such a weaker 
guarantee limits the damage an adversary can do. In other words, the main 
paradigm shift is the realisation that double spending a single coin twice is not 
so bad, but spending it a hundred times should be impossible. Of course, such 
a probabilistic and limited security property may not be strong enough for the 
protection of 'real' money. It may, however, be quite workable for currencies used 
to enforce fairness among P2P users. 

In this paper we study several such techniques for distributed double spending 
prevention. We focus in this paper on methods to distribute the tasks of the 
central bank over (a subset of) the nodes in the system. An extreme case would be 
the distribution of the central bank over all nodes in the system, making everyone 
a clerk working for the bank. This would lead to an enormous communication 
overhead, as all n nodes in the system would have to be contacted for each 
and every transaction. We study techniques to reduce the size of such clerk 
sets, mainly in probabilistic ways, while still keeping reasonable double-spending 
prevention guarantees. 

^ America Online and Yahoo announce introduction of electronic postage for email 
messages ("Postage is Due for Companies Sending E-Mail", New York Times, Febru- 
ary 5, 2006). 
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Next to a deterministic approach, there are two fundamentally different ways 
to construct the clerk sets in a probabilistic manner. The most efficient method 
— yielding the smallest clerk sets — uses the unqiue identifier of a coin to limit 
the possible members of the clerk set in advance. In this model, certain clerks 
attract certain coins, making it far more likely that double spending is detected. 
The drawback is that given a particular coin these clerks are known beforehand. 
This means the adversary has advance knowledge regarding the clerks that it 
needs to bribe in order to be able to double spend a particular coin. In certain 
situations this may be undesirable. Therefore we also study the less efficient case 
where the clerks are selected uniformly at random. 

1.1 Our results 

We prove the following results, where n is the total number of nodes, / is the 
total number of dishonest nodes, d is the number of dishonest nodes that may 
be corrupted by the adversary after they join the network, and s is the security 
parameter (see Section 2 for details). 

Deterministic double spending prevention can be achieved with clerk sets of 
size 2^/n{f + 1). 

Using randomisation double spending can be prevented with clerk sets of 
size at least '^J e{i- JJn) ■ require that double spending only needs to be 

detected when a single coin is double spent at least r times'^ we need clerk sets of 
size at least ^^"^ when / = 1 (i.e., if only the double-spender itself is dishonest) 



the / = 1 case seperately, because it corresponds to the situation where nodes 
in the clerk sets have no incentive to collaborate with the double spender to let 
him get away undetected, and is closely related to the selfish but rational models 
used in game theoretic analysis of security protocols (cf. [IML()-5]). 

Finally we prove that making use of the coin identifier to construct coin 
specific clerk spaces of size /? at least d + iog{(n-d)/{f-d)) clerk sets sampled from 
this space of size at least 77^7 (s + 1 + log(r + 2)) suffice to detect a coin that 
is double spent at least r times. 



These results tell us the following. Deterministically, clerk sets that have \/nf 

nodes suffice. For any reasonable / this is unworkable. Using randomisation, 
y^n/(l — //n) is good enough. For decent fractions of faulty nodes (e.g., f /n = 
1/2) this stays O(-yn). When we relax the double spending detection requirement 
and allow upto r double spendings to be undetected, clerk sets can be further 
reduced by a y/r factor. Finally, if we use information stored in the coin, the size 
of the clerk sets becomes independent of the size of the network, depending only 
on the inverse ratio n/ f of faulty nodes, and the number of corruptable nodes 




when / > 1. Note that it is indeed interesting to consider 




d. 



^ r denotes the number of times a coin is double spent. To be precise, when a node 
spends the same coin x times, then r = x — 1. 
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1.2 Related research 

The deterministic variant of distributed double spending prevention, i.e., the 
one where double spending is always prevented, is equivalent to the problem of 
distributing a database over n nodes, / of which may be faulty. Quorum systems 
(of. [MR98, MRWWOl]) have been studied as an abstraction of this problem, to 
increasing the availability and efficiency of replicated data. A quorum system is 
a set of subsets (called quorums) of servers such that every two subsets intersect. 
This intersection property guarantees that if a write-operation is performed at 
one quorum, and later a read-operation is performed at another quorum, then 
there is some server that observes both operations and therefore is able to provide 
the up-to-date value to the reader. The clerk sets in our work correspond to the 
quorums in that line of research. We do note however that the relaxation of 
allowing upto r double spendings to occur is not covered by the work on quorum 
systems. 

Our approach is in a sense a dual to the one advocated by Jarecki and 
Odlyzko [J097] (and similarly by Yacobi [Yac99]), in which double spending is 
prevented probabilistically and efficiently by checking a payment with the central 
bank only with some probability (instead of always). 

1.3 Structure of the paper 

The paper is organised as follows. We first describe the model and the basic 
system architecture in Section 2. This fixes the way coins are represented and 
spent among nodes, and describes how clerk sets are used to detect double 
spending. This architecture is independent of how the clerk sets are constructed. 
Different construction methods yield different performance, as described in the 
sections following. It is exactly these combinatorial constructions that are the 
main contributions of this paper. 

We analyse the performance of fixed clerk sets in Section 3, followed by the 
analysis of randomly chosen clerk sets in Section 4. Next, in Section 5, we study 
what happens if we allow coins to be double spend more often, up to a certain 
limit r. Then, in section 6 we discuss ways to further reduce the size of the clerk 
sets by making use of information in the coin. We conclude with a thorough 
discussion of our results in Sect. 7. 



2 Model and notation 

We assume a distributed system consisting of n nodes, at most / of which are 
dishonest. The dishonest nodes are under the control of the adversary. If the 
system is a peer-to-peer (P2P) overlay network, the nodes receive a random 
identifier when joining. This identifier is not under the control of the adversary. 
The adversary may, however, be able to compromise d out of the / dishonest 
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nodes after joining the network, i.e., it may compromise at most d nodes for 
which it knows the P2P identifier"^. 

Each node owns a pair of pubUc and private keys. A signature [m\i of node 
i on a message m can be verified by all other nodes. We let log denote the 
logarithm base 2. 

The system handles coins, that are uniquely identified by a coin identifier cid. 
Valid coin identifiers cannot 'easily' be generated by nodes themselves. Nodes 
can distinguish valid coins from invalid ones. A detailed discussion on how nodes 
initially obtain such coins lies outside the scope of this paper. But to argue the 
viability of our approach, we briefiy mention the following two options. Coins 
could, for instance, be distributed initially by a central authority. In this case, the 
coin identifier incorporates a digital signature from this authority. Or they could 
be generated by the nodes themselves by finding collisions in a hash function h 
(cf. [GH05]). Then, the coin identifier contains the pair x,y such that h{x) = 

Kv). 

Nodes communicate by exchanging messages. We assume a completely con- 
nected network, or a suitable routing overlay. The network is asynchronous. In 
particular, coins may be spent concurrently. The network is static: no nodes join 
or leave the network once the system runs. 

All in all these are quite strong assumptions (a static network, with a network 
wide PKI, and a point-to-point communication substrate), but not unreasonably 
so. In any case, they allow us to focus on the main research issue: the combina- 
torial analysis of distributing the task of an otherwise centralised bank over the 
nodes of a distributed system, such that double spending is prevented. 

The adversary tries to double spend a single coin at least r times (when 
a node spends a single coin x times, then r = x — 1). We say the system is 
secure with security parameter s if the adversary must perform an expected 
0(2**) amount of work in order to be successful. We show this by proving that 
the probability of success for the adversary for a single try is at most 2^". 

We note that we do not consider denial of service attacks, for example at- 
tacks where the clerk sets receive polluted information from dishonest nodes to 
invalidate coins held by honest nodes. 

2.1 Distributing the bank 

Throughout the paper we assume the following system architecture to distribute 
the bank over the nodes in the network. 

A coin is uniquely determined by its coin-id cid. Spending a coin transfers 
ownership of that coin from a sender s to a receiver r. We use the following 
method (also depicted in Figure 1): the receiver sends a nonce z to the sender, 
who then signs the coin, together with the nonce and the name of the receiver, 
sending the result 

Ci+i = [ci,2:,r]s 



^ This distinction between / and d turns out to be only significant in the case where 
coin identifiers are used to restrict the size of the clerk sets. 
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sender s receiver r clerk b 

Generate 
< — - — nonce z 

Spend coin c 

— ^ " ' ^° — > Receive Ci+i. 
Delete coin c Verify nonce 

and signature. 
Obtain -Br,ci+i 
C = 
Foreach 

b e Br,ci+i : 



add C" to C. 
when all C" 
received 
Accept if 

C ^ Ci+i 

forall c e C. 

Fig. 1. Coin spending and detection protocol. 



back to the receiver. We call Ci the immediate prefix of Ci-|_i (denoted c; Q+i), 
and require that s equals the receiver of (otherwise Ci should not have been 
in the posession of s in the first place). An unspent coin simply corresponds to 
its coin-id cid. c is a prefix of c', denoted c =^ c' if there is a sequence of coins 
Co, . . . ,Ck, k > such that c = cq, Ck = c' and q — > q+i for all < i < /c. The 
coin- id cid{c) of a coin equals its shortest prefix, or c itself if no prefix exists. 

So called clerk sets are used to verify the validity of a coin. These clerk sets 
consist of nodes in the network that simulate a bank in a distributed fashion. 
The selection of nodes that are member of a clerk set Br.c can be either done 
deterministically or randomly, and may depend on both the node r accepting 
the coin and the coin identifier cid{c) of the coin being accepted. To perform 
their duties, the nodes in a clerk set store the history of coins. When a receiver r 
receives a coin c, it first verifies the signature, the nonce, and the sender. It then 
requests from each clerk in the clerk set Br,c coins with coin-id cid{c) that 
it stores. At the same time, the clerks store c. These two steps are one atomic 
operation. If all coins r receives from its clerk set are proper prefixes of c, it 
accepts the coin. Otherwise it rejects the coin. 

We note that the size of a coin increases every time it is spent, because of 
the signature that must be added. Similarly, the set of coins stored by the clerk 
sets grows without bounds. Dealing with these unbounded space requirements 



Lookup cid{ci+i) in DBt. 
Insert Ci+i in DBt- 
C = 

c' 

{c G DBb I cid(c) = cid{ci+i)} 
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falls outside the scope of this paper. We discuss some ways to bound the space 
requirements in Sect. 7. 

The remiander of this paper assumes the above protocol for spending a coin, 
and is merely concerned with different methods for obtaining i?r,ci+i such that 
double spending is prevented. The following property of the system described 
above is the basis for the main results of this paper. 

Property 2.1. Let j and k be honest nodes, and let c be a coin. If Bj ^ H B]^ ^ 
contains at least one honest node, then no node can double spend a coin with 
coin- id cid{c) at both j and k using the protocol described above. 

Proof. Let x be the honest node in Bj^c^B^.c. If i manages to double spend c at 
both j and k (j = k is possible) , x receives a request to lookup (and immediately 
store) Cj = [c',Zj,j]i from j and Ck = [c" , Zfc , /c] from k (with unique nonces zj 
and Zk) where cid{cj) = cid{ck), Cj 7^ and =^ Cj (by definition of double 
spending). W.l.o.g. assume j makes that request to x first. Then j stores Cj at 
DBx before k requests all coins with cid{c) = cid{ck). Then k retrieves Cj with 
Cj 7^ Cfc and hence k does not accept c^. □ 

Observe that the inclusion of nonces in the coin spending phase is really only 
necessary to determine the exact node that double-spent the coin first. 

3 Fixed clerk sets: deterministic case 

We will now study several methods to assign clerk sets to nodes. We start with 
the deterministic case where each node is given a fixed clerk set Bi . We assume 
d = f (in the deterministic case it makes no difference whether the adversary 
can corrupt the nodes after they join the network or only before that: it can 
ensure in advance to only double spend at nodes for which the clerk sets contain 
no honest nodes). 

If, except for the node trying to double spend, there are no dishonest nodes, 
we only need to require Bi d Bj 7^ (and the double spender should not be 
the only node in that intersection). Clearly, we can set Bi = {b} for all i and 
some clerk b. This coincides with the 'central bank' case described in the intro- 
duction. In this paper we are of course interested in the distributed case, where 
there should be no single point of failure, and where the load for preventing 
double spending is evenly distributed over all participating nodes. The optimal 
construction of such sets was already studied in the context of the distributed 
match-making problem by MuUender and Vitanyi [MV88, EFF85]. They show 
that an assignment of sets exists such that \Bi\ < I^Jn for all «, while for all i, j 
Bi n Bj ^ 0. They also prove a matching lower bound''. 

Now suppose we do have / dishonest nodes. Using the techniques outlined 
above, we arrive at the following bound. 

* Note that if we somehow could construct a 'uniform, randomised' selection of the 
node responsible for keeping track of the current owner of a coin, then using this 
single node as the clerk set for that coin would implement a distribution solution to 
the problem. This is studied in more detail in section 6. 
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Theorem 3.1. Double spending is deterministically prevented with fixed clerk 
sets of size 2^n{f + 1), when there are at most f dishonest nodes. 

Proof. To guarantee detection of double spending we need at least / + 1 clerks 
in the intersection of any two clerk sets, hence 

\B,nB,\>f . 

One way to approach this extension is as follows. Cluster the n nodes into groups 
of / + 1 nodes each (for simplicity assume / + 1 exactly divides n). For the 
resulting so-called supcrnodes Ni , create super clerk sets as before. Now 
for each original node i, let its clerk set be the union of the nodes in the super 
nodes that are a member of its super clerk set Bj. In other words, let j be a 
member of super node Ni. Then 

B,= U 



We know |B,| 2 




, and that each super node covers / + 1 nodes. Hence 



\Bj \ < 2y/n{f + 1). By construction, for any pair i,j there is an E Bif) Bj. 
Hence \B, nBj\> f. □ 



4 Random clerk sets 

We now consider the case where each time a node i receives a coin it generates a 
different random clerk set Bi to verify that the coin is not being double spent^. 
Now suppose we have / dishonest nodes. Again we assume d = f (because the 
clerk sets are regenerated every time a coin is received, the adversary gains no 
advantage if it is able to corrupt some nodes right after system initialisation). 

Theorem 4.1. Double spending is prevented with overwhelming probability us- 
ing random clerk sets of size at least y^ ioge(il//n) • 

Proof. Let Bi be given, and randomly construct Bj. Let b be the size of the 
clerk sets that we aim to bound. Bj does not prevent double spending if it only 
contains nodes not in Bi, unless they are dishonest. To simplify analysis, let us 
assume that in the random construction of the set Bj (and the given set Bi) 
we are sampling with replacement. This way we overestimate the probability of 
constructing such a bad set (because we do not reduce the possible number of 
bad choices that would occur with sampling without replacement). We will then 
show that even with this overestimation, this event will occur with probability 
at most 2^^*. 



Actually, in this case a node can use the same randomly generated clerk set through- 
out, provided that d = 0. This is no longer the case when we allow small multiple 
spendings, analysed in Section 5. 
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For each member x of Bj, wc should either pick a node not in Bi (with 
probability ^^^); or if we do (with probability this node should be dishonest. 
Each node in Bi has probability £ to be dishonest. Hence 

r ■ 1 n n — b b f 
Pr [x is bad = 1 . 

n n n 

Then 

Pr [Bj is bad] = f Pr [x is bad] 



b fn-{l-f/n)b"-^ 



With (1 — i)^ < e ^, the latter can be bounded from above by e 'J ^"^ . We 
require Pr [Bj is bad] < 2^*. This is achieved when 



^3 



Taking logarithms and rearranging proves the theorem. □ 
This improves the deterministic case, where we have a ^/f dependence on /. 



5 When coins get spent more often 

Clearly, the problem of double spending becomes more pressing when coins are 
double spent (much) more than once. We will now show that this can be pre- 
vented with high probability with even small clerk sets. Note that multiple double 
spending only helps reducing the size of the clerk sets in the randomised case: 
in the deterministic case either the first double spending is prevented straight 
away, or no double spending is prevented at all. 

Let r be the number of times a single coin is double spent by the same node^ 
We first consider the failure free case, i.e., except for the node trying to double 
spend, there are no dishonest nodes. This case captures the situation where 
nodes in the clerk sets have no incentive to collaborate with the double spender 
to let him get away undetected, and is closely related to the selfish but rational 
models used in game theoretic analysis of security protocols (cf. [IML05]). 

Theorem 5.1. When only the owner of a coin is dishonset, double spending of 
a single coin at least r times is prevented with overwhelming probability using 
random clerk sets of size b such that b > ^^"'^ +1 (or b > ). 

Proof. Let Bi be the set used for the verification of the coin when it is spent for 
the i-th time. Let q be the node double spending. There are r + 1 such sets if 
the coin is double spent r times. If double spending is not detected one of those 
r times, the adversary wins. This happens when Bi D Bj contains at most the 
double spender q itself, for all pairs i,j. The probability that this happens is 
computed as follows (where we assume (r + 1)6 < n or else such a collection of 
sets simply does not exist). 



Recall that when a node spends the same coin x times, then r = x — 1. 
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After constructing the i-th set such that none of the i sets (each with h 
members) do mutuaUy intersect except on the double spender q, there are at most 
n — i{h—l) nodes to choose from for the i + 1-th set, and the probabihty that this 
set does not intersect the i others except on q becomes at most 
Expanding binomials to their factorial representation, and cancelling factorials 
in nominators and denominators, we conclude that this is less than 

-i{h^l) 



Hence 

Pr [double spending not detected] < JJ^ -^^ — t^t — - < 



n-i(b-l)\ r y i ^ \ & 



n-b+1 



Further simplification using ^— ^ < \ shows that this is bounded from above 

by 



n-b+1 

We want this latter expression to be negligible, i.e., less than 2^'*. Inverting 
fractions and taking logarithms this leads to the inequality 

/ n-b+1 \ 
^'^"n n-^(6-l) P^- 



2 



Using (r + 1)5 < ti we see „ i) — ^' Using this, and the fact that 

log(l + x) > X for all a; between and 1, we have 

n-h+1 \ /^(&-l) 



Hence we require 

''-^ib-l] 



> s 



Simplifying this proves the theorem. □ 
Next, we consider the case when there are at most / > 1 dishonest nodes. 

Theorem 5.2. Double spending of a single coin at least r times is prevented with 
overwhelming probability using random clerk sets of size at least 



loge(l-//ri)r • 

Proof. Again, let there be r + 1 sets Bi, each used for the verification of the 
coin when it is spent for the i-th time. Let F denote the set of faulty nodes. If 
double spending is not detected one of those r + 1 times, the adversary wins. 
This happens when 

(B, nSj)\i^ = 0,for alii J . 
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Wc arc going to estimate the probability that this happens by only considering 
n \ F for all j 7^ 1. Then 

Pr [double spending not detected] < (Pr [Bi n Bj \ F = 0])'' 



where in the last step we consider arbitrary x and sample with replacement. 
This latter probability is, like the proof in Theorem 4.1 

^ r . . n — b b f 

Pr [x IS badj = 1 . 

n n n 



Proceeding similar to that proof, we obtain b > y^^^;^jzrfp^- ^ 

The bound appears not to be tight (in fact it is worse than Theorem 5.1 by a 
factor y/r) because we only estimated the probability that no clerk set intersects 
with the first clerk set, thus greatly exaggerating the success of the adversary. 
Simulations suggest that the size of the clerk sets b is indeed inversely propor- 
tional to the number of clerk sets r even when faulty nodes exist. 



6 Coin-specific clerk sets 

Up till now, we have assumed that clerk sets are constructed independent of the 
coin that needs to be checked. This is a restriction. In fact, we will now show that 
under certain circumstances, the use of the coin identifier in the construction of 
the clerk sets may help reducing the size of the clerk sets even further. 

In previous work on digital karma [GHO-'j] we investigated the design of a 
decentralised currency for P2P networks with double-spending detection. We 
showed the following result, given an assignment of (3 nodes derived from a coin 
identifier cid by 

Bcid = {h'^{cid) mod n\l <i < (3} 

(where we ignore the possibility of collisions for the moment) where h is a random 
hash function. 

Lemma 6.1 ([GH05]). If [3 > d + iog((„-d)/(/-d)) ; then B^id contains only 
dishonest nodes with probability less than 2^*. 

Note that in the proof of this result we use the fact that the adversary controls 
at most d nodes for which it knows membership of a particular set Bci^; for all 
other f — d dishonest nodes membership of this set is entirely random. 

Using this new approach as a starting point, we now analyse how frequent 
double spending of a single coin can be prevented more efficiently. 

Clearly, when there are no dishonest nodes, the single node clerk set Bdd = 
{h{cid)} suffices to prevent double spending (provided of course that the coin is 
never spent by this particular node itself). This is a distributed solution because 
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the hash function distributes the clerk assignment uniformly over all available 
nodes. 

Similarly, using the Lemma 6.1, we see that using Bcid as the clerk set 
each time coin cid is spent, double spending is prevented with overwhelming 
probability as well, even if the adversary gets to corrupt d out of / nodes of his 
own choosing. This is summarised in the following theorem. 

Theorem 6.2. Double spending is prevented with overwhelming probability us- 
ing clerk sets derived from a coin identifier, of size at least (3 > '^+ iog((„-d)/(/-d)) ■ 

But we can do even better than that if we are willing to allow a coin to be double 
spent at most r times. The idea is to start with the coin-specific clerk space Bcid 
of size (3, but to use a smaller random subset Bi C 'Bdd of size b as the clerk set 
to use when spending the coin for the i-th time. 

Observe that the size of the clerk space now is more or less independent of 
n: it only depends on the fraction of dishonest nodes. Compared to the original 
randomised clerk set case (see Theorem 4.1) when setting d = we see that /? 
increases much less rapidly with increasing fraction of dishonest nodes. Note that 
reducing the sample space in this original case from n to say n' would improve 
the bound; however, the solution would no longer be distributed because certain 
nodes never would become members of a clerk set. 

Theorem 6.3. Double spending of a single coin cid at least r times is prevented 
with overwhelming probability using coin specific clerk spaces of size (3 at least 

^ + iog((n-d)/(/-rf)) ""'^ ^'"^^^ '"^^'^ "'^^^ ^ '^'^''^ (s + 1 + log(r + 2)) 

Proof. Consider an arbitrary coin with coin identifier cid. Let /3 = |Bcij;|. From 
Lemma 6.1 we know that if /3 > d + — r, — ^4vm — ttt, then 'Brid contains no 

' log((n-d)/(/-ii)) ' 

honest nodes with negligible probability 2"^^"'"^^. 

Let this coin be double spent r > 1 times, and let Bi C 'Bdd be a random 
subset of size b that serves as the clerk set to use when spending the coin for 
the i-th time. We will show that when Bdd contains at least one honest node x, 
the probability that x is not a member of at least two sets Bi and Bj is again 
at most 2^^'*+^). Multiplying these two probabilities we can conclude that the 
adversary can only succeed spending the coin r times with probability at most 
2"^*, which proves the theorem. 

We bound the probability that x is not a member of at least two sets Bi and 
Bj as follows. We have 

Call this probability p. Then q = 1 — p = ^ . Let X be a random variable denoting 
the number of sets Bi of which x is a member. Then 

Pr [X <1]= p'^+i + ( ^ ) P^'q . 
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Assume for the moment that b > {3/2. Then q > p and hence Pr [X < 1] < 
(r + 2)qp^ , which should be less than 2^'^''*+^^ Substituting the values for p and 
q and using ^ < 1, this is achieved when 

(r + 2) (^1 - < 2-(«+i) . 
Using (1 — < 1/e and taking logarithms we need 

log(r + 2) - r log e^< -{s + 1) 

From this the theorem follows. □ 

The proof of this theorem uses a rather crude approximation of the probability 
that an adversary can cheat. In fact, it is far more likely that a coin specific clerk 
space contain more than one honest node, making it harder for the adversary to 
avoid them in the r clerk sets. 



7 Conclusions & Further Research 

Interestingly, the probability of polling the central bank in the scheme of Jarecki 
and Odlyzko [.1097] is proportional to the amount of the transfer, such that the 
number of polling messages is constant for a given amount of credit: whether a 
user spends all her credit in a few big transactions, or many micro payments does 
not matter. To get a similar property in our scheme would require us to change 
the size of the clerk sets depending on the amount of the transaction (i.e., the 
value of the coin, if there are multi valued coins in the system) , or to contact the 
clerk sets only with a certain probability for each transaction. Further research is 
necessary to explore these ideas and to determine their impact on the efficiency 
of double spending prevention in a decentralised, distributed currency scheme. 

The current analysis is based on a few strong assumptions. For one thing, we 
assume that the network is static. To fully apply our ideas to for instance P2P 
networks requires us to take dynamic node joins and leaves into account. Also, we 
assume transmitting coins is an atomic operation. Probably, the coin transfer 
protocol becomes slightly more involved when we need to handle concurrent 
coin spending. Finally, the coin transfer protocol assumes that coins can grow 
unbounded in size: with every transfer of a coin, it gains another signature. 
Methods to reduce the space complexity should be investigated. This is not easy 
however, because the double spending prevention system depends on a more or 
less correct notion of time, and aims to record who owns which coin at what 
time. Preventing nodes to warp the coins they own into the future (and thus 
bypassing all double spending prevention) is not trivial. We do note however, 
that clerks only need to store the coin with the longest prefix for a particular 
coin identifier. 

Finally, there are other interesting approaches that might be useful to imple- 
ment distributed double spending prevention. 
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One approach is to try to limit the rate at which nodes can spend coins 
in the first place. HashCash [Bac97] could be used to do this. In this setting, 
a node wishing to spend a coin is forced to spend a non-negligible amount of 
work first to compute some function, e.g., by finding a collision in a moderately 
strong hashfunction. The receiver of the coin verifies the function result and only 
accepts the coin when the result is correct. If a lower bound on the actual time 
needed to compute the function is known (and this is not always easy given the 
diversity of hardware platforms), this implies an upper bound on the amount of 
money a coin spent (and therefore double spend). 
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